Department of Computer Science and Technology

Security Group

2022 seminars

Expand all Collapse all

If you can't find a talk you are looking for on this page, try the old archives.

View original pageRecording

03 May 14:00The gap between research and practice in authentication / Arvind Narayanan, Princeton University

Webinar - link on talks.cam page after 12 noon Tuesday

I’ll describe a recent line of work on identifying authentication vulnerabilities in mobile phone services and websites. I’ll show how authentication practice has lagged behind research and, in turn, research has not paid attention to the practical constraints that made these vulnerabilities more likely. Finally, I will draw from the experience of this research to share some thoughts on how information security research can better serve societal needs.

This talk is based on joint work with Kevin Lee, Ben Kaiser, Sten Sjöberg, and Jonathan Mayer.

View original pageRecording

26 April 14:00Attacking and Fixing the Bitcoin Network / Muoi Tran, National University of Singapore

Webinar - link on talks.cam page after 12 noon Tuesday

Much existing research in the blockchain field has focused on cryptographic primitives and improved distributed blockchain protocols. The network required to connect these distributed systems, however, has received relatively little attention.
Yet, there is increasing evidence that the network can become the bottleneck and root cause for some of the most pressing challenges blockchains face today.

In this talk, I will introduce a few recent research projects from my group that focus on attacking and securing Bitcoin’s peer-to-peer networking protocol. I will begin with our novel Bitcoin partitioning attack, dubbed Erebus, that stealthily isolates one or more Bitcoin peer nodes from the rest of the network. Then, I will discuss how we have collaborated with Bitcoin developers to mitigate the Erebus attacks and present some remaining questions. Finally, I will mention a few open problems in securing the networking layer of blockchain in general.

BIO:
Muoi Tran is a Research Fellow at the National University of Singapore, where he recently obtained a Ph.D. degree under the guidance of Zhenkai Liang and Min Suk Kang (KAIST). His research interests broadly include network security, blockchain security and privacy.
He was selected as one of the Microsoft Research Asia fellows in 2019, a distinguished shadow reviewer at IEEE S&P 2021, and an awardee of the Dean's Graduate Research Excellence Award at NUS in 2022.

View original pageView slidesRecording

22 March 14:00Risk and Resilience: Promoting Adolescent Online Safety and Privacy through Human-Centered Computing / Pamela Wisniewski, University of Central Florida

Webinar - link on talks.cam page after 12 noon Tuesday

Privacy is a social mechanism that helps people regulate their interpersonal boundaries in a way that facilitates more meaningful connections and safer online interactions with others. Dr. Wisniewski’s research focuses on 1) community-based approaches for helping people (adults and teens) co-manage their online privacy with people they trust, 2) teen-centric approaches to online safety that promote self-regulation and empower teens to effectively manage online risks, and 3) online safety interventions that protect our most vulnerable youth from severe online risks, such as sexual predation. Through her research trajectories above, she has become a leading HCI scholar at the intersections of adolescent online safety, developmental science, interaction design, and human-centered computing. She has created an impactful research program that intertwines research and education to engage teens, college students, experts in adolescent psychology, experts in participatory design and research methods, community partners, and industry stakeholders in a community-based effort to build the village needed to protect our youth from online risks by empowering them to protect themselves. During her talk, Dr. Wisniewski will provide an overview of her on-going grant-funded research, as well as her career-long aspirations as a “scholar activist,” which is someone committed to scholarly research and scientific rigor, but equally committed to their situations of origin and are passionate about making the world a better place through their learned experience.

View original pageRecording

18 March 16:00Design rules and Maxims for insecurity engineering for lock designs / Marc Weber Tobias, School of Engineering, University of Pittsburgh

Webinar & FW11, Computer Laboratory, William Gates Building.

Marc Weber Tobias and his team are senior security analysts for all of the major lock manufacturers in the U.S., Europe, and the Middle East. He has developed a comprehensive set of axioms, principles, and rules for design engineers and vulnerability assessment teams to guide them in producing security products that are less likely to be easily attacked and compromised.

The lecture includes a discussion and case examples of a failure of engineers to connect the dots and understand basic theories involving the compromise of locks and safes. The problem in the industry pervades every kind of product, as discussed in this presentation. This includes the famous kryptonite bike lock fiasco, gun locks that are opened by a five year old child, gun storage cases that were accessed by a child that led to litigation, the design of a safe for the storage of weapons that ended in tragedy, and a clever and very defective electronic padlock for protecting parcels delivered to residences.

Marc Tobias is presently writing a detailed text on this subject entitled “Tobias on Locks and Insecurity Engineering” which should be available sometime in 2023.

View original pageRecording

08 March 10:00Sex, money, and the mating market: How big data helps us understand sexual politics / Khandis Blake, University of Melbourne

Webinar - link on talks.cam page from Monday afternoon

Why are sex differences the result of biological and economic forces? How do mating market conditions affect gendered violence? Why are so many people – including women –concerned with regulating female sexuality? For too long, our approach to gendered outcomes has quarantined the biological from the sociocultural, as if one has nothing to do with the other. Yet a close understanding of the drivers of male-male aggression, intimate partner violence, and female beauty practices shows that the biological and sociocultural often intertwine. In this talk I review a growing body of my research that uses big data to implicate mating market conditions in gendered outcomes. Using data from 113 nations, I will explain how income inequality affects the local female mating ecology and thus incentivizes intrasexual competition and status-seeking. I will then show that by disadvantaging male mate competition, the operational sex ratio and manufacturing shocks in the USA drive troubling online sub-cultures linked to gendered violence (i.e., “inCel” ideology). By linking online behaviors with offline violence, I show how social media can be used as a barometer to identify prospective hotspots of crime. By incorporating insights from behavioral ecology, social psychology, economics, and international security, I provide a functional account of gender conflict, highlighting the value of integrating competing disciplinary perspectives to understand these phenomena. With it I offer a new approach to understanding how and why sexual conflict manifests, and how attitudes toward gender are related to potential fitness payoffs.

BIO

Dr Blake is an expert on sexual politics who combines insights from evolutionary biology, psychology and big data to understand conflict and competition among people. Her research addresses big issues that profoundly influence wellbeing, including personal agency and empowerment, intimate partner violence and the varied ways in which people seek and enact status. Dr Blake convenes TwitPlat, a database of 6 billion geolocated Twitter posts spanning 9 years, and the Daily Cycle Diary, an online platform that helps women to understand how their menstrual cycle affects their psychology. She is the holder of seven international and eight domestic awards for research excellence, and has featured her work at the Festival of Dangerous Ideas, Melbourne Writer’s Festival, Melbourne International Film Festival, in The Age, The Herald Sun, The Sydney Morning Herald, and on ABC News and The Project. She is an ARC DECRA Fellow and a lecturer at the Melbourne School of Psychological Science at the University of Melbourne.

View original pageRecording

15 February 14:00Machine Learning in context of Computer Security / Ilia Shumailov, University of Cambridge

Webinar & LT2, Computer Laboratory, William Gates Building.

Machine learning (ML) has proven to be more fragile than previously thought, especially in adversarial settings. A capable adversary can cause ML systems to break at training, inference, and deployment stages. In this talk, I will cover my recent work on attacking and defending machine learning pipelines; I will describe how, otherwise correct, ML components end up being vulnerable because an attacker can break their underlying assumptions. First, with an example of attacks against text preprocessing, I will discuss why a holistic view of the ML deployment is a key requirement for ML security. Second, I will describe how an adversary can exploit the computer systems, underlying the ML pipeline, to develop availability attacks at both training and inference stages. At the training stage, I will present data ordering attacks that break stochastic optimisation routines. At the inference stage, I will describe sponge examples that soak up a large amount of energy and take a long time to process. Finally, building on my experience attacking ML systems, I will discuss developing robust defenses against ML attacks, which consider an end-to-end view of the ML pipeline.

View original pageRecording

08 February 14:00Trojan Source: Invisible Vulnerabilities / Nicholas Boucher, University of Cambridge

Webinar & LT2, Computer Laboratory, William Gates Building.

We present a new type of attack in which source code is maliciously encoded so that it appears different to a compiler and to the human eye. This attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers. ‘Trojan Source’ attacks, as we call them, pose an immediate threat both to first-party software and of supply-chain compromise across the industry. We present working examples of Trojan-Source attacks in C, C++, C#, JavaScript, Java, Rust, Go, and Python. We propose definitive compiler-level defenses, and describe other mitigating controls that can be deployed in editors, repositories, and build pipelines while compilers are upgraded to block this attack.

View original pageRecording

25 January 14:00Incident Response as a Lawyers' Service / Daniel Woods, University of Innsbruck, Austria

Webinar - link on talks.cam page after 12 noon Tuesday

This talk describes an increasingly popular model of cyber incident response in which external law firms run the show. This involves operating a 24/7 hotline in order to act as the victim firm's first point of contact, the law firm selecting and hiring external consultants like the forensics investigator and public relations advisor, and telling those investigators how findings should be documented and shared. At least 4,000 incidents were responded to under this model in 2018. I will present empirical evidence about how cyber insurance popularised this way of responding to incidents. I then describe preliminary findings on the downstream impacts like the efficiency of investigations, the extent of post-breach remediation, information sharing, and work culture in industry.
The talk is based on the paper: "Incident Response as a Lawyers' Service" in IEEE Security & Privacy with doi: 10.1109/MSEC.2021.3096742

View original pageRecording

18 January 14:00Transcending Transcend: Revisiting Malware Classification with Conformal Evaluation / Federico Barbero, University of Cambridge

Webinar - link on talks.cam page after 12 noon Tuesday

Machine learning for malware classification shows encouraging results, but real deployments suffer from performance degradation as malware authors adapt their techniques to evade detection. This phenomenon, known as concept drift, occurs as new malware examples evolve and become less and less like the original training examples. One promising method to cope with concept drift is classification with rejection in which examples that are likely to be misclassified are instead quarantined until they can be expertly analyzed.

In this talk, I will discuss our IEEE S&P 2022 paper which proposes TRANSCENDENT, a rejection framework built on Transcend, a recently proposed strategy based on conformal prediction theory. In particular, I will hold your hand through the formal treatment of Transcend and the newly proposed conformal evaluators, with their different guarantees and computational properties. TRANSCENDENT outperforms state-of-the-art approaches while generalizing across various malware domains and classifiers. These insights support both old and new empirical findings, making Transcend a sound and practical solution for the first time.

View original pageRecording

14 January 15:00Hansa Market, Cyberbunker, and Encrochat: The Security Practices of Organized Crime / Erik van de Sandt, Dutch National Police and University of Bristol

Webinar

The dominant academic and practitioners’ perspective on security evolves around law-abiding recipients (i.e., referent objects) of security who are under attack by law-breaking threat agents. Yet organized (cyber) crime has threat agents as well, and is therefore in need of security. Commission and protection of crime are inextricably linked. There is a vast underground economy that caters large numbers of traditional and cyber criminals with specialized security products and services. Think of Hansa as a secure market place, Encrochat as a secure telecom provider and Cyberbunker as a secure (i.e., bulletproof) hosting provider. Based on the insights of the book ‘The Deviant Security of Cyber Crime’ and past and recent cyber operations of the Dutch National High Tech Crime Unit such as the DoubleVPN investigation, this presentation lets us realize that cyber criminals have many more security controls at their disposal than encryption, but also face all kinds of minor, major and even unavoidable vulnerabilities.